<!doctype html>
<html class="theme-next use-motion theme-next-mist">
<head>
  
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>

<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

  <meta name="google-site-verification" content="K8DCBviaoTBKVs28YBB7IBIbospQ9RVlgSh81RYMUhY" />


  <meta name="baidu-site-verification" content="tXr3ZTm3Hx" />



  <link rel="stylesheet" type="text/css" href="/vendors/fancybox/source/jquery.fancybox.css?v=2.1.5"/>


<link rel="stylesheet" type="text/css" href="/css/main.css?v=0.4.5.1"/>

  <meta name="description" content="xgfe's blog. 鲜果前端的技术博客，鲜果前端研发部官方博客。前端基础技术研究：html, html5, javascript, css, css3；前端框架研究：angularJs, react, react native." />


  <meta name="keywords" content="XSS,CSRF," />


  <link rel="alternate" target="_blank" href="/atom.xml" title="xgfe" type="application/atom+xml" />


  <link rel="shorticon icon" type="image/x-icon" href="http://p0.meituan.net/xgfe/2db359f56ce13be30dedef160e0e57ce16958.ico?v=0.4.5.1" />

<meta name="keywords" content="XSS,CSRF">
<meta property="og:type" content="article">
<meta property="og:title" content="Web安全技术">
<meta property="og:url" content="http://xgfe.github.io/2016/11/28/felix/web-secure-skill/index.html">
<meta property="og:site_name" content="xgfe">
<meta property="og:image" content="http://p1.meituan.net/dpnewvc/14a8bd5f9ddbc7d0ca9548c2bdfdf92e66222.png">
<meta property="og:image" content="http://p1.meituan.net/dpnewvc/944dae0fc2cd1cfd936f327976410dd5230483.png">
<meta property="og:updated_time" content="2017-04-12T08:03:36.000Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="Web安全技术">
<meta name="twitter:image" content="http://p1.meituan.net/dpnewvc/14a8bd5f9ddbc7d0ca9548c2bdfdf92e66222.png">


<script type="text/javascript" id="hexo.configuration">
  var CONFIG = {
    scheme: 'Mist',
    sidebar: 'post'
  };
</script>

  <title> Web安全技术 | xgfe </title>
</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
  <div style="position: fixed; top: -9999px; left: -9999px;">
    <img src="http://p0.meituan.net/xgfe/082a9624ba5ae8602150a2d43968463e49348.png" alt="xgfe"/>
  </div>
  <!--[if lte IE 8]>
  <div style=' clear: both; height: 59px; padding:0 0 0 15px; position: relative;margin:0 auto;'>
    <a href="http://windows.microsoft.com/en-US/internet-explorer/products/ie/home?ocid=ie6_countdown_bannercode">
      <img src="http://7u2nvr.com1.z0.glb.clouddn.com/picouterie.jpg" border="0" height="42" width="820"
           alt="You are using an outdated browser. For a faster, safer browsing experience, upgrade for free today or use other browser ,like chrome firefox safari."
           style='margin-left:auto;margin-right:auto;display: block;'/>
    </a>
  </div>
<![endif]-->
  

  <script type="text/javascript">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "//hm.baidu.com/hm.js?3601d4483819a5ab6ddabb0b6422a328";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <div class="container one-column page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><h1 class="site-meta">
  <span class="logo-line-before"><i></i></span>
  <a href="/" class="brand" rel="start">
      <span class="logo">
        <i class="icon-next-logo"></i>
      </span>
      <span class="site-title">xgfe</span>
  </a>
  <span class="logo-line-after"><i></i></span>
</h1>

<div class="site-nav-toggle">
  <button>
    <span class="btn-bar"></span>
    <span class="btn-bar"></span>
    <span class="btn-bar"></span>
  </button>
</div>

<nav class="site-nav">
  
  

  
    <ul id="menu" class="menu menu-left">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            <i class="menu-item-icon icon-next-home"></i> <br />
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives" rel="section">
            <i class="menu-item-icon icon-next-archives"></i> <br />
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags" rel="section">
            <i class="menu-item-icon icon-next-tags"></i> <br />
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-join">
          <a href="/join" rel="section">
            <i class="menu-item-icon icon-next-join"></i> <br />
            加入我们
          </a>
        </li>
      
      <!-- slide-links added by felix -->
      <li class="menu-item menu-item-slides" style="opacity: 1; transform: translateY(0px);">
        <a href="http://xgfe.github.io/Basics/" target="_blank" rel="section">
          <i class="menu-item-icon icon-next-slides"></i> <br>
          Basics
        </a>
      </li>
      <li class="menu-item menu-item-slides" style="opacity: 1; transform: translateY(0px);">
        <a href="https://slides.com/xgfe" target="_blank" rel="section">
          <i class="menu-item-icon icon-next-slides"></i> <br>
          Slides
        </a>
      </li>

      
      
    </ul>
  

  
    <div class="site-search">
      

    </div>
  

    <div class="site-search">
      <form class="site-search-form" id="gg-form" action="https://www.google.com/webhp" >
        <input type="text" name="q" id="gg-search-input" class="menu-search-input">
      </form>
    </div>
</nav>
 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div id="content" class="content"> 

  <div id="posts" class="posts-expand">
    

  <article class="post post-type-normal " itemscope itemtype="http://schema.org/Article">
    <header class="post-header">

      
      
        <h1 class="post-title" itemprop="name headline">
          
          
            
              Web安全技术
            
          
        </h1>
      

      <div class="post-meta">
        <span class="post-time">
          发表于
          <time itemprop="dateCreated" datetime="2016-11-28T21:47:00+08:00" content="2016-11-28">
            2016-11-28
          </time>
        </span>

        
          <span class="post-category" >
            &nbsp; | &nbsp; 作者
            
              <span itemprop="about" itemscope itemtype="https://schema.org/Thing">
                <a href="/categories/felix/" itemprop="url" rel="index">
                  <span itemprop="name">felix</span>
                </a>
              </span>

              
              

            
          </span>
        

        
          
        

        <!-- tags 挪动位置 -->
        
          <span class="post-tags">
            &nbsp; | &nbsp;
            
              <a href="/tags/XSS/" rel="tag"><i class="icon-next-tags"></i>XSS</a>
            
              <a href="/tags/CSRF/" rel="tag"><i class="icon-next-tags"></i>CSRF</a>
            
          </span>
        
      </div>
    </header>

    <div class="post-body">

      
      

      
        <span itemprop="articleBody"><p><iframe src="//slides.com/xgfe/deck-5/embed" width="576" height="420" scrolling="no" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen></iframe><br><a id="more"></a></p>
<h2 id="XSS"><a href="#XSS" class="headerlink" title="XSS"></a>XSS</h2><p>Cross Site Scripting, 跨站脚本</p>
<p>跨站脚本发生在目标网站中目标用户的<strong>浏览器</strong>层面上，当用户浏览器渲染整个HTML文档的过程中出现了<strong>不被预期的</strong>脚本指令并执行，XSS就会发生。</p>
<p>想尽一切办法将你的脚本内容在目标网站中目标用户的浏览器上解析执行即可。</p>
<h3 id="类型"><a href="#类型" class="headerlink" title="类型"></a>类型</h3><h4 id="反射型XSS（非持久型XSS）"><a href="#反射型XSS（非持久型XSS）" class="headerlink" title="反射型XSS（非持久型XSS）"></a>反射型XSS（非持久型XSS）</h4><p>发出请求时，XSS代码出现在URL中作为输入提交到服务端，服务端解析后响应，在响应内容中出现这段XSS代码，最后浏览器解析执行。</p>
<ol>
<li>服务端输出HTML</li>
<li>服务端输出为Location字段</li>
</ol>
<h4 id="存储型XSS（持久型XSS）"><a href="#存储型XSS（持久型XSS）" class="headerlink" title="存储型XSS（持久型XSS）"></a>存储型XSS（持久型XSS）</h4><p>提交的XSS代码会存储在服务端（留言板）</p>
<h4 id="DOM-XSS"><a href="#DOM-XSS" class="headerlink" title="DOM XSS"></a>DOM XSS</h4><p>不需要服务端参与，靠浏览器端的DOM解析触发</p>
<h3 id="危害"><a href="#危害" class="headerlink" title="危害"></a>危害</h3><ol>
<li>挂马</li>
<li>盗取用户Cookie</li>
<li>Dos（拒绝服务）客户端浏览器</li>
<li>钓鱼攻击</li>
<li>编写正对性的CSS病毒，删除目标文章、恶意篡改数据</li>
<li>劫持用户Web行为</li>
<li>爆发Web 2.0蠕虫</li>
</ol>
<h2 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h2><p>Cross Site Request Forgery, 跨站请求伪造</p>
<p>伪造：如果请求的发出不是用户的意愿，那么这个请求就是伪造的</p>
<h3 id="类型-1"><a href="#类型-1" class="headerlink" title="类型"></a>类型</h3><h4 id="HTML-CSRF攻击"><a href="#HTML-CSRF攻击" class="headerlink" title="HTML CSRF攻击"></a>HTML CSRF攻击</h4><p>发起的CSRF请求都属于HTML元素发起的。</p>
<p>HTML中能够设置src/href等链接地址的标签都可以发起GET请求。<br>eg. link, img, meta, iframe, script, bgsound, embed, video, audio, a, table[background], @import “”, background: url(“”)</p>
<h4 id="JSON-HiJacking攻击"><a href="#JSON-HiJacking攻击" class="headerlink" title="JSON HiJacking攻击"></a>JSON HiJacking攻击</h4><h2 id="界面操作劫持"><a href="#界面操作劫持" class="headerlink" title="界面操作劫持"></a>界面操作劫持</h2><p>一种基于视觉欺骗的Web会话劫持攻击，它通过在网页的可见输入控件上覆盖一个不可见的框(iframe)，使得用户误以为在操作可见控件，而实际上用户的操作行为被其不可见的框所劫持，执行不可见框中的恶意劫持代码，从而完成在用户不知情的情况下窃取敏感信息、篡改数据等攻击。</p>
<p>技术发展阶段分类：点击劫持、拖放劫持、触屏劫持</p>
<h2 id="漏洞挖掘"><a href="#漏洞挖掘" class="headerlink" title="漏洞挖掘"></a>漏洞挖掘</h2><h3 id="CSRF的漏洞挖掘"><a href="#CSRF的漏洞挖掘" class="headerlink" title="CSRF的漏洞挖掘"></a>CSRF的漏洞挖掘</h3><ol>
<li>确认目标表单是否有有效的token随机串</li>
<li>目标表单是否有验证码</li>
<li>目标是否判断了Referer来源</li>
<li>网站根目录下crossdomain.xml的“allow-access-from domain”是否是通配符</li>
<li>目标JSON数据似乎可以自定义callback函数</li>
</ol>
<h3 id="界面操作劫持的漏洞挖掘"><a href="#界面操作劫持的漏洞挖掘" class="headerlink" title="界面操作劫持的漏洞挖掘"></a>界面操作劫持的漏洞挖掘</h3><ol>
<li>目标的HTTP响应头是否设置好了X-Frame-Options字段</li>
<li>目标是否有JavaScript的Frame Busting机制</li>
<li>即目标网站能不能被iframe嵌入</li>
</ol>
<h3 id="普通XSS漏洞自动化挖掘"><a href="#普通XSS漏洞自动化挖掘" class="headerlink" title="普通XSS漏洞自动化挖掘"></a>普通XSS漏洞自动化挖掘</h3><ol>
<li>探子请求，确定反射位置</li>
<li>构造攻击</li>
</ol>
<h3 id="存储型XSS漏洞挖掘"><a href="#存储型XSS漏洞挖掘" class="headerlink" title="存储型XSS漏洞挖掘"></a>存储型XSS漏洞挖掘</h3><p>重点在于如何确定输出点</p>
<ol>
<li>表单提交后跳转页面有可能是输出点</li>
<li>表单所在页面有可能是输出点</li>
<li>全站查找，可先缓存页面，然后根据Last-Modified和Etag头部判断</li>
</ol>
<h3 id="编解码-DOM-XSS挖掘预备知识"><a href="#编解码-DOM-XSS挖掘预备知识" class="headerlink" title="编解码(DOM XSS挖掘预备知识)"></a>编解码(DOM XSS挖掘预备知识)</h3><h4 id="HTML形式编码"><a href="#HTML形式编码" class="headerlink" title="HTML形式编码"></a>HTML形式编码</h4><p>以下HTML形式的编码会在HTML中自动解码。</p>
<ol>
<li>进制编码: &#xH; (十六进制格式)、&#D; (十进制格式)</li>
<li>HTML实体编码: &lt; &gt; &quot; &amp; &nbsp;</li>
</ol>
<h4 id="CSS-属性中的编码"><a href="#CSS-属性中的编码" class="headerlink" title="CSS 属性中的编码"></a>CSS 属性中的编码</h4><ol>
<li>兼容HTML形式编码</li>
<li>十六进制还可以使用\H的形式. eg. \6c</li>
</ol>
<h4 id="Javascript编码"><a href="#Javascript编码" class="headerlink" title="Javascript编码"></a>Javascript编码</h4><p>在Javascript执行之前，以下Javascript形式的编码会自动解码。</p>
<ol>
<li>Unicode形式: \uH(十六进制)</li>
<li>普通十六进制: \xH</li>
<li>纯转义: \’ \” \&lt; ></li>
</ol>
<h4 id="具备HtmlEncode功能的标签"><a href="#具备HtmlEncode功能的标签" class="headerlink" title="具备HtmlEncode功能的标签"></a>具备HtmlEncode功能的标签</h4><p>textarea, title, iframe, noscript, noframes, xmp, plaintext</p>
<h3 id="DOM-XSS挖掘"><a href="#DOM-XSS挖掘" class="headerlink" title="DOM XSS挖掘"></a>DOM XSS挖掘</h3><h4 id="静态方法"><a href="#静态方法" class="headerlink" title="静态方法"></a>静态方法</h4><p>[入点和输出点匹配正则表达式] (<a href="http://code.google.com/p/domxsswiki/wiki/FindingDOMXSS" target="_blank" rel="external">http://code.google.com/p/domxsswiki/wiki/FindingDOMXSS</a>)</p>
<p>发现可疑点后需要人工分析。</p>
<h4 id="动态方法"><a href="#动态方法" class="headerlink" title="动态方法"></a>动态方法</h4><p>模糊测试所有输入点提交标志位，然后全文档监测标志位是否出现</p>
<h3 id="Flash-XSS-挖掘"><a href="#Flash-XSS-挖掘" class="headerlink" title="Flash XSS 挖掘"></a>Flash XSS 挖掘</h3><h4 id="静态分析"><a href="#静态分析" class="headerlink" title="静态分析"></a>静态分析</h4><p>工具反编译</p>
<h3 id="字符集缺陷导致的XSS"><a href="#字符集缺陷导致的XSS" class="headerlink" title="字符集缺陷导致的XSS"></a>字符集缺陷导致的XSS</h3><ol>
<li>宽字节编码带来的安全问题 P.160</li>
</ol>
<p>GBK、GB2312</p>
<h2 id="代码注入技巧"><a href="#代码注入技巧" class="headerlink" title="代码注入技巧"></a>代码注入技巧</h2><ul>
<li><a href="https://github.com/cure53/H5SC" target="_blank" rel="external">HTML5 XSS Attack Vectors</a></li>
<li><a href="shazzer.co.uk/vectors">SHARED ONLINE FUZZING</a></li>
</ul>
<h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><h3 id="获取隐私数据"><a href="#获取隐私数据" class="headerlink" title="获取隐私数据"></a>获取隐私数据</h3><p>Cookie, browser, ua, Referer…</p>
<ol>
<li>Referer暴露Token</li>
<li>获取浏览器记住的明文密码</li>
<li>键盘记录器</li>
<li>开启路由远程访问能力</li>
<li>劫持保持：window.open()拦截link跳转，操作新窗口添加劫持脚本</li>
</ol>
<h2 id="Web蠕虫"><a href="#Web蠕虫" class="headerlink" title="Web蠕虫"></a>Web蠕虫</h2><h3 id="类型-2"><a href="#类型-2" class="headerlink" title="类型"></a>类型</h3><ol>
<li>XSS蠕虫</li>
<li>CSRF蠕虫</li>
<li>Clickjacking蠕虫</li>
</ol>
<h3 id="蠕虫性质"><a href="#蠕虫性质" class="headerlink" title="蠕虫性质"></a>蠕虫性质</h3><ol>
<li>传播性: Web层面上就是基于HTTP请求传播</li>
<li>病毒行为: 会进行一些恶意操作。Web层面主要是通过Javascript脚本发起各种恶意的HTTP请求。</li>
</ol>
<h3 id="XSS蠕虫的条件"><a href="#XSS蠕虫的条件" class="headerlink" title="XSS蠕虫的条件"></a>XSS蠕虫的条件</h3><ol>
<li>目标网站具备Web 2.0的关键特性：内容由用户驱动(UGC)</li>
<li>存在XSS漏洞</li>
<li>被感染的用户是登录状态，这样XSS的权限就是登录后的权限，能执行更多的恶意操作</li>
<li>XSS蠕虫传播利用的关键功能本身具备内容传播性</li>
</ol>
<h2 id="防御"><a href="#防御" class="headerlink" title="防御"></a>防御</h2><h3 id="浏览器厂商的防御"><a href="#浏览器厂商的防御" class="headerlink" title="浏览器厂商的防御"></a>浏览器厂商的防御</h3><ol>
<li><p>HTTP响应的X-头部. HTTP响应的扩展头部字段都以X-打头，区分标准的头部字段</p>
<ul>
<li>X-Frame-Options: 防御ClickJacking<ul>
<li>==DENY==: 禁止被加载进任何frame</li>
<li>==SAMEORIGIN==: 仅允许被加载进同yu’nei同域内的frame</li>
<li>==ALLOW-FROM uri==: 不允许被指定的域名以外的页面嵌入(Chrome不支持)</li>
</ul>
</li>
<li>X-XSS-Protection: 防御反射型XSS<ul>
<li>==0==: 禁用这个策略</li>
<li>==1==: 默认值，对危险脚本做一些标志或修改，以阻止在浏览器上渲染执行</li>
<li>==1;mode=block==: 强制不渲染，在Chrome下直接跳转到空白页，在IE下返回一个#符号</li>
</ul>
</li>
<li><p>Content-Security-Policy: (<a href="http://www.w3.org/TR/CSP" target="_blank" rel="external">CSP</a>)<br>  <img src="http://p1.meituan.net/dpnewvc/14a8bd5f9ddbc7d0ca9548c2bdfdf92e66222.png" alt=""></p>
<ul>
<li>[指令1] [指令值1] [指令值2]; …</li>
<li>指令: default-src, script-src, style-src, img-src, connect-src, font-src, object-src, media-scr, frame-src, sandbox-src, report-uri</li>
<li>指令值:<br>  <img src="http://p1.meituan.net/dpnewvc/944dae0fc2cd1cfd936f327976410dd5230483.png" alt=""></li>
<li>不特别指定 ‘unsafe-inline’ 时，页面上所有 inline 样式和脚本都不会执行；不特别指定 ‘unsafe-eval’，页面上不允许使用 new Function，setTimeout，eval 等方式执行动态代码</li>
<li>担心影响面太大，也可以像下面这样，仅收集不匹配规则的日志，可以设置<code>Content-Security-Policy-Report-Only</code>先观察下：  <figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">Content-Security-Policy-Report-Only: script-src &apos;self&apos;; report-uri http://test/</div></pre></td></tr></table></figure>
</li>
</ul>
</li>
<li><p>Strict-Transport-Security</p>
<ul>
<li><p>HTTP Strict Transport Security，简称为HSTS. 它允许一个HTTPS网站，要求浏览器总是通过HTTPS来访问它，<strong>浏览器端重定向</strong></p>
  <figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">strict-transport-security: max-age=16070400; includeSubDomains</div></pre></td></tr></table></figure>
</li>
<li><p>Chrome内置了一个<a href="chrome://net-internals/#hsts" target="_blank" rel="external">HSTS列表</a>, 可以增删改查</p>
</li>
</ul>
</li>
<li><p>X-Content-Type-Options：禁用浏览器的类型猜测行为</p>
  <figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">X-Content-Type-Options: nosniff</div></pre></td></tr></table></figure>
</li>
</ul>
</li>
</ol>
<h3 id="Web厂商的防御"><a href="#Web厂商的防御" class="headerlink" title="Web厂商的防御"></a>Web厂商的防御</h3><ol>
<li>域分离</li>
<li>安全传输，HTTPS</li>
<li>安全的Cookie, HttpOnly、Secure</li>
<li>验证码</li>
<li>慎防第三方内容</li>
<li>XSS防御方案 OWASP的ESAPI</li>
</ol>
<h3 id="工具汇总"><a href="#工具汇总" class="headerlink" title="工具汇总"></a>工具汇总</h3><ol>
<li><a href="http://monyer.com/demo/monyerjs/" target="_blank" rel="external">编解码工具</a></li>
<li><a href="https://github.com/addthis/hydra" target="_blank" rel="external">Hydra</a></li>
<li><a href="https://github.com/beefproject/beef" target="_blank" rel="external">BeFE</a>渗透探索工具</li>
<li>Metasploit</li>
<li>EditThisCookie</li>
</ol>
<h2 id="参考文献"><a href="#参考文献" class="headerlink" title="参考文献"></a>参考文献</h2><ol>
<li>《Web前端黑客技术揭秘》</li>
<li><a href="https://imququ.com/post/content-security-policy-reference.html" target="_blank" rel="external">Content Security Policy 介绍</a></li>
<li><a href="https://imququ.com/post/web-security-and-response-header.htm" target="_blank" rel="external">一些安全相关的HTTP响应头</a></li>
<li><a href="http://evilcos.me/?p=336" target="_blank" rel="external">我的渗透利器-余弦</a></li>
<li><a href="https://www.zhihu.com/question/21606800" target="_blank" rel="external">零基础如何学习 Web 安全？-知乎</a></li>
</ol>
</span>
      
    </div>

    <footer class="post-footer">

      
        <div class="post-nav">
          <div class="post-nav-prev post-nav-item">
            
              <a href="/2016/11/30/scliuyang/yarn/" rel="prev">js新的包管理工具yarn</a>
            
          </div>

          <div class="post-nav-next post-nav-item">
            
              <a href="/2016/11/09/zhouxiong/vue-in-action-vue-basis/" rel="next">Vue实战(一) -- Vue基础总结</a>
            
          </div>
        </div>
      

      
      
    </footer>
  </article>



    <div class="post-spread">
      
        <!-- JiaThis Button BEGIN -->
<div class="jiathis_style">
  <a class="jiathis_button_tsina"></a>
  <a class="jiathis_button_tqq"></a>
  <a class="jiathis_button_weixin"></a>
  <a class="jiathis_button_cqq"></a>
  <a class="jiathis_button_douban"></a>
  <a class="jiathis_button_renren"></a>
  <a class="jiathis_button_qzone"></a>
  <a class="jiathis_button_kaixin001"></a>
  <a class="jiathis_button_copy"></a>
  <a href="http://www.jiathis.com/share" class="jiathis jiathis_txt jiathis_separator jtico jtico_jiathis" target="_blank"></a>
  <a class="jiathis_counter_style"></a>
</div>
<script type="text/javascript" >
  var jiathis_config={
    hideMore:false
  }
</script>
<script type="text/javascript" src="http://v3.jiathis.com/code/jia.js" charset="utf-8"></script>
<!-- JiaThis Button END -->

      
    </div>
  </div>

 </div>

        

        
          <div class="comments" id="comments">
            <div id="SOHUCS" sid="" ></div>
          </div>
        
      </div>

      
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    <div class="sidebar-inner">

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap" >
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
          <a href="https://github.com/xgfe" target="_blank"><img class="site-author-image" src="http://p0.meituan.net/xgfe/082a9624ba5ae8602150a2d43968463e49348.png" alt="xgfe" itemprop="image"/></a>
          <p class="site-author-name" itemprop="name">xgfe</p>
        </div>
        <p class="site-description motion-element" itemprop="description">xgfe's blog. 鲜果前端的技术博客，鲜果前端研发部官方博客。前端基础技术研究：html, html5, javascript, css, css3；前端框架研究：angularJs, react, react native.</p>
        <nav class="site-state motion-element">
          <div class="site-state-item site-state-posts">
            <a href="/archives">
              <span class="site-state-item-count">89</span>
              <span class="site-state-item-name">日志</span>
            </a>
          </div>

          <div class="site-state-item site-state-categories">
            
              <span class="site-state-item-count">37</span>
              <span class="site-state-item-name">作者</span>
              
          </div>

          <div class="site-state-item site-state-tags">
            <a href="/tags">
              <span class="site-state-item-count">131</span>
              <span class="site-state-item-name">标签</span>
              </a>
          </div>

        </nav>

        
          <div class="feed-link motion-element">
            <a href="/atom.xml" target="_blank" rel="alternate">
              <i class="menu-item-icon icon-next-feed"></i>
              RSS
            </a>
          </div>
        

        <div class="links-of-author motion-element">
          
            
              <span class="links-of-author-item">
                <a href="https://github.com/xgfe" target="_blank">GitHub</a>
              </span>
            
          
        </div>

        
        

        <div class="links-of-author motion-element">
          
        </div>

      </section>

      
        <section class="post-toc-wrap sidebar-panel-active">
          <div class="post-toc-indicator-top post-toc-indicator"></div>
          <div class="post-toc">
            
            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#XSS"><span class="nav-number">1.</span> <span class="nav-text">XSS</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#类型"><span class="nav-number">1.1.</span> <span class="nav-text">类型</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#反射型XSS（非持久型XSS）"><span class="nav-number">1.1.1.</span> <span class="nav-text">反射型XSS（非持久型XSS）</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#存储型XSS（持久型XSS）"><span class="nav-number">1.1.2.</span> <span class="nav-text">存储型XSS（持久型XSS）</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#DOM-XSS"><span class="nav-number">1.1.3.</span> <span class="nav-text">DOM XSS</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#危害"><span class="nav-number">1.2.</span> <span class="nav-text">危害</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#CSRF"><span class="nav-number">2.</span> <span class="nav-text">CSRF</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#类型-1"><span class="nav-number">2.1.</span> <span class="nav-text">类型</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#HTML-CSRF攻击"><span class="nav-number">2.1.1.</span> <span class="nav-text">HTML CSRF攻击</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#JSON-HiJacking攻击"><span class="nav-number">2.1.2.</span> <span class="nav-text">JSON HiJacking攻击</span></a></li></ol></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#界面操作劫持"><span class="nav-number">3.</span> <span class="nav-text">界面操作劫持</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞挖掘"><span class="nav-number">4.</span> <span class="nav-text">漏洞挖掘</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#CSRF的漏洞挖掘"><span class="nav-number">4.1.</span> <span class="nav-text">CSRF的漏洞挖掘</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#界面操作劫持的漏洞挖掘"><span class="nav-number">4.2.</span> <span class="nav-text">界面操作劫持的漏洞挖掘</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#普通XSS漏洞自动化挖掘"><span class="nav-number">4.3.</span> <span class="nav-text">普通XSS漏洞自动化挖掘</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#存储型XSS漏洞挖掘"><span class="nav-number">4.4.</span> <span class="nav-text">存储型XSS漏洞挖掘</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#编解码-DOM-XSS挖掘预备知识"><span class="nav-number">4.5.</span> <span class="nav-text">编解码(DOM XSS挖掘预备知识)</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#HTML形式编码"><span class="nav-number">4.5.1.</span> <span class="nav-text">HTML形式编码</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#CSS-属性中的编码"><span class="nav-number">4.5.2.</span> <span class="nav-text">CSS 属性中的编码</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#Javascript编码"><span class="nav-number">4.5.3.</span> <span class="nav-text">Javascript编码</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#具备HtmlEncode功能的标签"><span class="nav-number">4.5.4.</span> <span class="nav-text">具备HtmlEncode功能的标签</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#DOM-XSS挖掘"><span class="nav-number">4.6.</span> <span class="nav-text">DOM XSS挖掘</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#静态方法"><span class="nav-number">4.6.1.</span> <span class="nav-text">静态方法</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#动态方法"><span class="nav-number">4.6.2.</span> <span class="nav-text">动态方法</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Flash-XSS-挖掘"><span class="nav-number">4.7.</span> <span class="nav-text">Flash XSS 挖掘</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#静态分析"><span class="nav-number">4.7.1.</span> <span class="nav-text">静态分析</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#字符集缺陷导致的XSS"><span class="nav-number">4.8.</span> <span class="nav-text">字符集缺陷导致的XSS</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#代码注入技巧"><span class="nav-number">5.</span> <span class="nav-text">代码注入技巧</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞利用"><span class="nav-number">6.</span> <span class="nav-text">漏洞利用</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#获取隐私数据"><span class="nav-number">6.1.</span> <span class="nav-text">获取隐私数据</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Web蠕虫"><span class="nav-number">7.</span> <span class="nav-text">Web蠕虫</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#类型-2"><span class="nav-number">7.1.</span> <span class="nav-text">类型</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#蠕虫性质"><span class="nav-number">7.2.</span> <span class="nav-text">蠕虫性质</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#XSS蠕虫的条件"><span class="nav-number">7.3.</span> <span class="nav-text">XSS蠕虫的条件</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#防御"><span class="nav-number">8.</span> <span class="nav-text">防御</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#浏览器厂商的防御"><span class="nav-number">8.1.</span> <span class="nav-text">浏览器厂商的防御</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Web厂商的防御"><span class="nav-number">8.2.</span> <span class="nav-text">Web厂商的防御</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#工具汇总"><span class="nav-number">8.3.</span> <span class="nav-text">工具汇总</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#参考文献"><span class="nav-number">9.</span> <span class="nav-text">参考文献</span></a></li></ol></div>
            
          </div>
          <div class="post-toc-indicator-bottom post-toc-indicator"></div>
        </section>
      

    </div>
  </aside>


    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner"> <div class="copyright" >
  
  &copy; &nbsp; 
  <span itemprop="copyrightYear">2018</span>
  <span class="with-love">
    <i class="icon-next-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">xgfe</span>
</div>

<div class="powered-by">
  由 <a class="theme-link" target="_blank" href="http://hexo.io">Hexo</a> 强力驱动
</div>

<div class="theme-info">
  主题 -
  <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">
    NexT.Mist
  </a>
</div>


 </div>
    </footer>

    <div class="back-to-top"></div>
  </div>

  <script type="text/javascript" src="/vendors/jquery/index.js?v=2.1.3"></script>

  
  
  
    <script type="text/javascript"> 
(function(){ 
var appid = 'cysWiXvkm'; 
var conf = 'prod_fc970dbe85103c7a79b2c4f3dc7fb190'; 
var width = window.innerWidth || document.documentElement.clientWidth; 
if (width < 960) { 
window.document.write('<script id="changyan_mobile_js" charset="utf-8" type="text/javascript" src="http://changyan.sohu.com/upload/mobile/wap-js/changyan_mobile.js?client_id=' + appid + '&conf=' + conf + '"><\/script>'); } else { var loadJs=function(d,a){var c=document.getElementsByTagName("head")[0]||document.head||document.documentElement;var b=document.createElement("script");b.setAttribute("type","text/javascript");b.setAttribute("charset","UTF-8");b.setAttribute("src",d);if(typeof a==="function"){if(window.attachEvent){b.onreadystatechange=function(){var e=b.readyState;if(e==="loaded"||e==="complete"){b.onreadystatechange=null;a()}}}else{b.onload=a}}c.appendChild(b)};loadJs("http://changyan.sohu.com/upload/changyan.js",function(){window.changyan.api.config({appid:appid,conf:conf})}); } })(); </script>
    

  


  
  
  <script type="text/javascript" src="/vendors/fancybox/source/jquery.fancybox.pack.js"></script>
  <script type="text/javascript" src="/js/fancy-box.js?v=0.4.5.1"></script>


  <script type="text/javascript" src="/js/helpers.js?v=0.4.5.1"></script>
  

  <script type="text/javascript" src="/vendors/velocity/velocity.min.js"></script>
  <script type="text/javascript" src="/vendors/velocity/velocity.ui.min.js"></script>

  <script type="text/javascript" src="/js/motion_global.js?v=0.4.5.1" id="motion.global"></script>




  <script type="text/javascript" src="/js/nav-toggle.js?v=0.4.5.1"></script>
  <script type="text/javascript" src="/vendors/fastclick/lib/fastclick.min.js?v=1.0.6"></script>

  
  
<script type="text/javascript" src="/js/bootstrap.scrollspy.js?v=0.4.5.1" id="bootstrap.scrollspy.custom"></script>


<script type="text/javascript" id="sidebar.toc.highlight">
  $(document).ready(function () {
    var tocSelector = '.post-toc';
    var $tocSelector = $(tocSelector);
    var activeCurrentSelector = '.active-current';

    $tocSelector
      .on('activate.bs.scrollspy', function () {
        var $currentActiveElement = $(tocSelector + ' .active').last();

        removeCurrentActiveClass();
        $currentActiveElement.addClass('active-current');

        $tocSelector[0].scrollTop = $currentActiveElement.position().top;
      })
      .on('clear.bs.scrollspy', function () {
        removeCurrentActiveClass();
      });

    function removeCurrentActiveClass () {
      $(tocSelector + ' ' + activeCurrentSelector)
        .removeClass(activeCurrentSelector.substring(1));
    }

    function processTOC () {
      getTOCMaxHeight();
      toggleTOCOverflowIndicators();
    }

    function getTOCMaxHeight () {
      var height = $('.sidebar').height() -
                   $tocSelector.position().top -
                   $('.post-toc-indicator-bottom').height();

      $tocSelector.css('height', height);

      return height;
    }

    function toggleTOCOverflowIndicators () {
      tocOverflowIndicator(
        '.post-toc-indicator-top',
        $tocSelector.scrollTop() > 0 ? 'show' : 'hide'
      );

      tocOverflowIndicator(
        '.post-toc-indicator-bottom',
        $tocSelector.scrollTop() >= $tocSelector.find('ol').height() - $tocSelector.height() ? 'hide' : 'show'
      )
    }

    $(document).on('sidebar.motion.complete', function () {
      processTOC();
    });

    $('body').scrollspy({ target: tocSelector });
    $(window).on('resize', function () {
      if ( $('.sidebar').hasClass('sidebar-active') ) {
        processTOC();
      }
    });

    onScroll($tocSelector);

    function onScroll (element) {
      element.on('mousewheel DOMMouseScroll', function (event) {
          var oe = event.originalEvent;
          var delta = oe.wheelDelta || -oe.detail;

          this.scrollTop += ( delta < 0 ? 1 : -1 ) * 30;
          event.preventDefault();

          toggleTOCOverflowIndicators();
      });
    }

    function tocOverflowIndicator (indicator, action) {
      var $indicator = $(indicator);
      var opacity = action === 'show' ? 0.4 : 0;
      $indicator.velocity ?
        $indicator.velocity('stop').velocity({
          opacity: opacity
        }, { duration: 100 }) :
        $indicator.stop().animate({
          opacity: opacity
        }, 100);
    }

  });
</script>

<script type="text/javascript" id="sidebar.nav">
  $(document).ready(function () {
    var html = $('html');
    var TAB_ANIMATE_DURATION = 200;
    var hasVelocity = $.isFunction(html.velocity);

    $('.sidebar-nav li').on('click', function () {
      var item = $(this);
      var activeTabClassName = 'sidebar-nav-active';
      var activePanelClassName = 'sidebar-panel-active';
      if (item.hasClass(activeTabClassName)) {
        return;
      }

      var currentTarget = $('.' + activePanelClassName);
      var target = $('.' + item.data('target'));

      hasVelocity ?
        currentTarget.velocity('transition.slideUpOut', TAB_ANIMATE_DURATION, function () {
          target
            .velocity('stop')
            .velocity('transition.slideDownIn', TAB_ANIMATE_DURATION)
            .addClass(activePanelClassName);
        }) :
        currentTarget.animate({ opacity: 0 }, TAB_ANIMATE_DURATION, function () {
          currentTarget.hide();
          target
            .stop()
            .css({'opacity': 0, 'display': 'block'})
            .animate({ opacity: 1 }, TAB_ANIMATE_DURATION, function () {
              currentTarget.removeClass(activePanelClassName);
              target.addClass(activePanelClassName);
            });
        });

      item.siblings().removeClass(activeTabClassName);
      item.addClass(activeTabClassName);
    });

    $('.post-toc a').on('click', function (e) {
      e.preventDefault();
      var targetSelector = escapeSelector(this.getAttribute('href'));
      var offset = $(targetSelector).offset().top;
      hasVelocity ?
        html.velocity('stop').velocity('scroll', {
          offset: offset  + 'px',
          mobileHA: false
        }) :
        $('html, body').stop().animate({
          scrollTop: offset
        }, 500);
    });

    // Expand sidebar on post detail page by default, when post has a toc.
    var $tocContent = $('.post-toc-content');
    if (isDesktop() && CONFIG.sidebar === 'post') {
      if ($tocContent.length > 0 && $tocContent.html().trim().length > 0) {
        displaySidebar();
      }
    }
  });
</script>



  <script type="text/javascript">
    $(document).ready(function () {
      if (CONFIG.sidebar === 'always') {
        displaySidebar();
      }
      if (isMobile()) {
        FastClick.attach(document.body);
      }
    });
  </script>

  

  
  

  
  <script type="text/javascript" src="/js/lazyload.js"></script>
  <script type="text/javascript">
    $(function () {
      $("#posts").find('img').lazyload({
        placeholder: "/images/loading.gif",
        effect: "fadeIn"
      });
    });
  </script>

  <!-- google search, added by felix -->
  <script>
      $('#gg-form').on('submit', function(e) {
        var keyword = $.trim($(this).find('#gg-search-input').val());
        if (keyword) {
          location.href = 'https://www.google.com.hk/?gfe_rd=cr&ei=hXw8VpjtHuLC8AeSuIjQAg&gws_rd=ssl#safe=strict&q='+encodeURIComponent(keyword)+'+site:xgfe.github.io';
        }
        return false;
      });
  </script>
  <!-- baidu 站长自动推送 -->
  <script>
  (function(){
      var bp = document.createElement('script');
      bp.src = '//push.zhanzhang.baidu.com/push.js';
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(bp, s);
  })();
  </script>
</body>
</html>
